Group Policy for Windows 2003
I love everything about Active Directory Group Policies. From playing ‘Mr Nasty’ and screwing down the users’ desktop, to playing ‘Mr Nice’ and pampering users with printer locations and proxy settings, Group Policy is satisfying.
Even troubleshooting Group Policy is a labour of love. Before I share my tips and tricks with you, a word about the underlying problem. It is symptomatic of certain personality types that they want everything at once, the most complex, the most advanced and the most obscure settings. With Group Policy, such an attitude is a recipe for disaster. You need the reverse philosophy. Start simply. Begin by getting one or two obvious policies working. Experiment with removing the run command or the setting; don’t display last user name. Only when you can control which users do, (or don’t) get your simple policy, should you move on to policies that may require a reboot, or specific software or hardware.
80% of all group policy problems are caused because your policy is in one OU, while the user you are troubleshooting is in a different OU. Once you absorb that trick, don’t fall for the trap where a computer policy is applied to the Sales OU, but all the computer objects are in the computer container. Last week I had a new twist, the groups were in a separate branch of Active Directory compared with policies were trying to control them.
You can cure half of the remaining problems are by running gpupdate /force. Most of your residual problems are due to logic, either a double negative, or one policy over-riding another. Solve these problems by studying GPMC (Group Policy Management Console) in general and Group Modeling or Group Results, in particular.
Unfortunately, there are dozens of causes for the remaining 2% of group policies problems. Here are just a few examples.
See more interesting Windows Active Directory articles